- Open a private GitHub Security Advisory: https://github.com/technophylax/ocpa/security/advisories/new
- Please include: description, impact, steps to reproduce, affected version/commit, suggested fix if known.
- We aim to acknowledge within 2 business days.
- Main branch; tagged releases.
- Do not test against production deployments you don’t own.
- Avoid exploiting beyond proof of concept; share logs/traces if safe.
- Social engineering, physical attacks, or issues requiring privileged local access outside OCPA.
- Run a secret scan (gitleaks/trufflehog) on history before public releases; actions are wired to allow scans on demand.